Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Simmphonie
NetworkManager-openvpn
tls-version-min-max-option.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tls-version-min-max-option.patch of Package NetworkManager-openvpn
diff --git a/Makefile.am b/Makefile.am index 27bbec95a912af1a4492807509e421fe1934fcb4..8e1b05aa949fbe5fd844db3d7ebcbff32564a2c3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -296,6 +296,7 @@ EXTRA_DIST += \ properties/tests/conf/static2.ovpn \ properties/tests/conf/tls.ovpn \ properties/tests/conf/tls2.ovpn \ + properties/tests/conf/tls3.ovpn \ properties/tests/conf/tun-opts.conf \ properties/tests/conf/proxy-http.ovpn \ properties/tests/conf/httpauthfile \ diff --git a/properties/import-export.c b/properties/import-export.c index 5507ab83537e09bb0b0897fa7f068967b844213c..a780fb3d0f0e8ebfb1e920b18903c22d7cfa13f0 100644 --- a/properties/import-export.c +++ b/properties/import-export.c @@ -1205,6 +1205,24 @@ do_import (const char *path, const char *contents, gsize contents_len, GError ** continue; } + if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MIN)){ + if (!args_params_check_nargs_n (params, 1, &line_error)) + goto handle_line_error; + if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error)) + goto handle_line_error; + setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, params[1]); + continue; + } + + if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MAX)){ + if (!args_params_check_nargs_n (params, 1, &line_error)) + goto handle_line_error; + if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error)) + goto handle_line_error; + setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, params[1]); + continue; + } + if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_CA, NMV_OVPN_TAG_CERT, @@ -2058,6 +2076,14 @@ do_export_create (NMConnection *connection, const char *path, GError **error) nm_utils_str_utf8safe_unescape (key, &s_free)); } + key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN); + if (nmovpn_arg_is_set (key)) + args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MIN, key); + + key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX); + if (nmovpn_arg_is_set (key)) + args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MAX, key); + key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS); if (nmovpn_arg_is_set (key)) { gs_free char *s_free = NULL; diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui index c54cca14ef3d6909ff62cb7a2516f3511102bf1a..dc4504415114fd3f6b2ac1fb2fc2840f640c2f35 100644 --- a/properties/nm-openvpn-dialog.ui +++ b/properties/nm-openvpn-dialog.ui @@ -2479,6 +2479,84 @@ config: connect-timeout <n> | server-poll-timeout <n></property> <property name="position">1</property> </packing> </child> + <child> + <object class="GtkBox"> + <property name="visible">True</property> + <property name="can_focus">False</property> + <child> + <object class="GtkLabel" id="tls_version_min_lbl"> + <property name="visible">True</property> + <property name="can_focus">False</property> + <property name="label" translatable="yes">TLS _min version: </property> + <property name="use_underline">True</property> + <property name="mnemonic_widget">tls_version_min</property> + <property name="xalign">1</property> + </object> + <packing> + <property name="expand">False</property> + <property name="fill">True</property> + <property name="position">0</property> + </packing> + </child> + <child> + <object class="GtkEntry" id="tls_version_min"> + <property name="visible">True</property> + <property name="can_focus">True</property> + <property name="tooltip_text" translatable="yes"> Sets the minimum TLS version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation.</property> + </object> + <packing> + <property name="expand">True</property> + <property name="fill">True</property> + <property name="padding">1</property> + <property name="position">1</property> + </packing> + </child> + </object> + <packing> + <property name="expand">False</property> + <property name="fill">True</property> + <property name="position">2</property> + </packing> + </child> + <child> + <object class="GtkBox"> + <property name="visible">True</property> + <property name="can_focus">False</property> + <child> + <object class="GtkLabel" id="tls_version_max_lbl"> + <property name="visible">True</property> + <property name="can_focus">False</property> + <property name="label" translatable="yes">TLS ma_x version: </property> + <property name="use_underline">True</property> + <property name="mnemonic_widget">tls_version_max</property> + <property name="xalign">1</property> + </object> + <packing> + <property name="expand">False</property> + <property name="fill">True</property> + <property name="position">0</property> + </packing> + </child> + <child> + <object class="GtkEntry" id="tls_version_max"> + <property name="visible">True</property> + <property name="can_focus">True</property> + <property name="tooltip_text" translatable="yes">Set the maximum TLS version we will use (default is the highest version supported). Examples for version include "1.0", "1.1", or "1.2".</property> + </object> + <packing> + <property name="expand">True</property> + <property name="fill">True</property> + <property name="padding">1</property> + <property name="position">1</property> + </packing> + </child> + </object> + <packing> + <property name="expand">False</property> + <property name="fill">True</property> + <property name="position">3</property> + </packing> + </child> </object> <packing> <property name="position">4</property> diff --git a/properties/nm-openvpn-editor.c b/properties/nm-openvpn-editor.c index 5c409b48e40d3a9e5fb44d5c90a863720e4917a1..363d6f74deb8b8945a9e0a8f6697bf3290563d0a 100644 --- a/properties/nm-openvpn-editor.c +++ b/properties/nm-openvpn-editor.c @@ -717,6 +717,8 @@ static const char *const advanced_keys[] = { NM_OPENVPN_KEY_TA_DIR, NM_OPENVPN_KEY_TLS_CRYPT, NM_OPENVPN_KEY_TLS_REMOTE, + NM_OPENVPN_KEY_TLS_VERSION_MIN, + NM_OPENVPN_KEY_TLS_VERSION_MAX, NM_OPENVPN_KEY_TUNNEL_MTU, NM_OPENVPN_KEY_TUN_IPV6, NM_OPENVPN_KEY_VERIFY_X509_NAME, @@ -1816,6 +1818,17 @@ advanced_dialog_new (GHashTable *hash, const char *contype) _builder_init_optional_spinbutton (builder, "max_routes_checkbutton", "max_routes_spinbutton", !!value, _nm_utils_ascii_str_to_int64 (value, 10, 0, 100000000, 100)); + value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN); + if (value && *value) { + widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min")); + gtk_entry_set_text (GTK_ENTRY (widget), value); + } + value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX); + if (value && *value) { + widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max")); + gtk_entry_set_text (GTK_ENTRY (widget), value); + } + return dialog; } @@ -2017,6 +2030,15 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog) if (hmacauth) g_hash_table_insert (hash, NM_OPENVPN_KEY_AUTH, hmacauth); } + entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min")); + value = gtk_entry_get_text (GTK_ENTRY (entry)); + if (value && *value) + g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN, g_strdup (value)); + + entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max")); + value = gtk_entry_get_text (GTK_ENTRY (entry)); + if (value && *value) + g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX, g_strdup (value)); contype = g_object_get_data (G_OBJECT (dialog), "connection-type"); if ( !strcmp (contype, NM_OPENVPN_CONTYPE_TLS) diff --git a/properties/tests/conf/tls3.ovpn b/properties/tests/conf/tls3.ovpn new file mode 100644 index 0000000000000000000000000000000000000000..5dd45ba87e27fd44daafad020fec63cb484b46ec --- /dev/null +++ b/properties/tests/conf/tls3.ovpn @@ -0,0 +1,28 @@ +remote 173.8.149.245 1194 +resolv-retry infinite + +dev tun +persist-key +persist-tun +link-mtu 1400 +proto udp +nobind +pull +tls-client + +float + +ca keys/mg8.ca +cert keys/clee.crt +key keys/clee.key + +tls-crypt keys/46.key +remote-cert-tls server +tls-remote "/CN=myvpn.company.com" +verify-x509-name "C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@gnome.org" subject + +comp-lzo +verb 3 + +tls-version-min 1.0 +tls-version-max 1.2 \ No newline at end of file diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c index 8d0a6352fef551ac2621e7afa7f6f6c80954e1fd..5d9201f3f8253c8f01583224adc9a0429493575d 100644 --- a/properties/tests/test-import-export.c +++ b/properties/tests/test-import-export.c @@ -379,6 +379,54 @@ test_tls_import_2 (void) _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL); } +static void +test_tls_import_3 (void) +{ + _CREATE_PLUGIN (plugin); + gs_unref_object NMConnection *connection = NULL; + NMSettingConnection *s_con; + NMSettingVpn *s_vpn; + + connection = get_basic_connection (plugin, SRCDIR, "tls3.ovpn"); + + s_con = _get_setting_connection (connection); + g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls3"); + g_assert (!nm_setting_connection_get_uuid (s_con)); + + s_vpn = _get_setting_vpn (connection); + + _check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS); + _check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun"); + _check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive"); + _check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes"); + _check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194"); + _check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com"); + _check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME, + "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@gnome.org"); + _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server"); + + _check_item (s_vpn, NM_OPENVPN_KEY_CA, SRCDIR"/keys/mg8.ca"); + _check_item (s_vpn, NM_OPENVPN_KEY_CERT, SRCDIR"/keys/clee.crt"); + _check_item (s_vpn, NM_OPENVPN_KEY_KEY, SRCDIR"/keys/clee.key"); + _check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, SRCDIR"/keys/46.key"); + + _check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL); + _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL); + + _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, "1.0"); + _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, "1.2"); + +} + static void test_file_contents (const char *id, const char *dir, @@ -1041,6 +1089,9 @@ int main (int argc, char **argv) _add_test_func_simple (test_tls_import_2); _add_test_func ("tls2-export", test_export_compare, "tls2.ovpn", "tls2.ovpntest"); + _add_test_func_simple (test_tls_import_3); + _add_test_func ("tls3-export", test_export_compare, "tls3.ovpn", "tls3.ovpntest"); + _add_test_func_simple (test_pkcs12_import); _add_test_func ("pkcs12-export", test_export_compare, "pkcs12.ovpn", "pkcs12.ovpntest"); diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h index c0fb72491705b809c8c825415f984aa6babbd1a4..e5810c1367072e947a33b24c7539ee43b7e89147 100644 --- a/shared/nm-service-defines.h +++ b/shared/nm-service-defines.h @@ -73,6 +73,8 @@ #define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher" #define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt" #define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote" +#define NM_OPENVPN_KEY_TLS_VERSION_MIN "tls-version-min" +#define NM_OPENVPN_KEY_TLS_VERSION_MAX "tls-version-max" #define NM_OPENVPN_KEY_TUNNEL_MTU "tunnel-mtu" #define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6" #define NM_OPENVPN_KEY_USERNAME "username" diff --git a/shared/utils.h b/shared/utils.h index e3f30be86e962de52007854c6a5478c222f3802e..a32c098d2f0c627c75528a1ee4b0b869099fdff5 100644 --- a/shared/utils.h +++ b/shared/utils.h @@ -75,6 +75,8 @@ #define NMV_OVPN_TAG_TLS_CLIENT "tls-client" #define NMV_OVPN_TAG_TLS_CRYPT "tls-crypt" #define NMV_OVPN_TAG_TLS_REMOTE "tls-remote" +#define NMV_OVPN_TAG_TLS_VERSION_MIN "tls-version-min" +#define NMV_OVPN_TAG_TLS_VERSION_MAX "tls-version-max" #define NMV_OVPN_TAG_TOPOLOGY "topology" #define NMV_OVPN_TAG_TUN_IPV6 "tun-ipv6" #define NMV_OVPN_TAG_TUN_MTU "tun-mtu" diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c index 59b64ebfc95ee0a124289139d12fa13101ac9d53..357371497e8c486fa1ebb6220855e28f568d2e08 100644 --- a/src/nm-openvpn-service.c +++ b/src/nm-openvpn-service.c @@ -193,6 +193,8 @@ static const ValidProperty valid_properties[] = { { NM_OPENVPN_KEY_CERTPASS_FLAGS, G_TYPE_STRING, 0, 0, FALSE }, { NM_OPENVPN_KEY_NOSECRET, G_TYPE_STRING, 0, 0, FALSE }, { NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD_FLAGS, G_TYPE_STRING, 0, 0, FALSE }, + { NM_OPENVPN_KEY_TLS_VERSION_MIN, G_TYPE_STRING, 0, 0, FALSE }, + { NM_OPENVPN_KEY_TLS_VERSION_MAX, G_TYPE_STRING, 0, 0, FALSE }, { NULL, G_TYPE_NONE, FALSE } }; @@ -1652,6 +1654,16 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, args_add_strv (args, "--tls-crypt"); args_add_utf8safe_str (args, tmp); } + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN); + if (nmovpn_arg_is_set (tmp)) { + args_add_strv (args, "--tls-version-min"); + args_add_strv (args, tmp); + } + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX); + if (nmovpn_arg_is_set (tmp)) { + args_add_strv (args, "--tls-version-max"); + args_add_strv (args, tmp); + } tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS); if (nmovpn_arg_is_set (tmp)) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
